SlideShare a Scribd company logo

Better security through IT operations

S
slighltyanon
Technology
1 of 15
Improving IT Security Through IT Operations Building on a secure foundation
IT Security Threat Categories as Seen by Information Security Standards (Compliance) Malicious Accidents Acts Acts of God 2/3 threats must be managed by IT Operations and can be addressed through process
IT Security “Pyramid of Needs” •Audits/Compliance •Monitoring •Incident response IT Security •Standards •Policy IT Operations You cannot manage IT Security without healthy IT Operations.
Requirements For IT Operations Disguised as Security •ISO 27001 IT Security •PCI •MITS (Canada) •US (state) cyber security policy There are hidden IT Operations requirements in IT Security Compliance (think DRP, network architecture, IT Operations identity/access management etc.). External compliance sees IT Security as governance for all IT and forces IT Security concerns to dominate IT Operations decision making unless it is already aligned with security objectives.
Hidden Cost of Security for IT Operations IT Security Wasted resources on an •Compliance ineffective security program •Information built in an unsecure Security Standard foundation •Disruption due to compliance audits IT Operations •Inefficient incident response
Getting Security out of your kitchen: What Security Manage vs. What IT Operations Manage IT Security IT Operations • IT Security Policy/Standards • Configuration Management • Risk Assessment • Life Cycle Support • Vulnerability Assessment • Disaster Recovery Planning • *Compliance and TESTING (Internal/External) • Non Malicious Incident • *Audits (Internal/External) Response (Availability) • IT Security Monitoring and Alerting • Malicious Incident Response *External Compliance and Audits require IT Operations to report status of some processes to IT Security (ex. baseline configuration, DRP)
Configuration Management Baselines (Application and System) • One baseline configuration document per OS variant • One baseline configuration document per application • Review of baselines for new versions of application or OS • Mandatory that all systems meet baseline IT Security Services • Mandatory internal compliance audit to ensure baseline is applied during test phase • Internal compliance audit to ensure baseline is maintained during life cycle • Advice on system hardening and secure configuration for baselines
Life Cycle Support Deployment and System Support Documentation • A system support document must be created for all systems that are supported and include the following: • Asset list for the system • Network Diagram • System and Application baseline document and additional configuration • Release management acceptance document for all in-house developed software Change Management • All production systems must be subject to change management • All changes must be tracked and deployment and system support documentation updated • Some changes may require approval based on criteria set by IT Operations Management Patch Management • All production systems must have a defined patch cycle • Resources must be made available for out of cycle patching of critical security vulnerabilities IT Security Services • Critical vulnerability alerts • Risk assessment and vulnerability assessments for new systems and critical system changes
Disaster Recovery Planning and Testing Disaster Recovery Plan (DRP) • All production systems must have a DRP written down • The plan can indicate that the system has no DRP in the case of non critical systems • The DRP must include steps taken to bring the system back online Testing • All systems with a DRP must have a defined test schedule • A DRP test is only considered complete if all the steps in the DRP are executed
Non Malicious Incident Response (Availability) Monitoring • Monitor production systems for availability, unauthorized access, and unauthorized configuration changes and other incidents Incident Response • Response to all system incidents and lead the investigation into non malicious incidents Corrective Action • Track non malicious incidents and implement corrective action where trends appear • Implement corrective action recommended by IT Security in the event of a malicious incident IT Security Services • Monitor systems for malicious incidents • Inform IT Operations of all incidents • Investigate and provide corrective action for all malicious incidents
A high level view Baseline Configuration Deployment and Support Docs DRP Requirements Design Defined patch cycle Risk Assessment Retire System Development Life Cycle Implement monitoring Implement Monitoring Operate/Maintain Implement DRP Test Schedule Patch Management Change Management Monitoring/Incident Response Test Vulnerability Assessment Internal Compliance Audit Test DRP Vulnerability Assessment Internal Compliance Audit
Ensuring Your Processes Meet Compliance Requirements If it’s not followed it’s an incident If it’s not reviewed and enforced it doesn’t comply If it’s not written down it doesn’t exist Audit Fundamentals
Drawing A Line In The Sand Security views all systems that are not governed by these processes as Security Unmanaged.
Getting From Unmanaged to Managed • Define and document your processes • Each process must exist and be enforced through a policy or operating procedure 1 • Existing processes can be amended and written down • Create system upgrade plan for migration from unmanaged to managed • Plan must include either an end of life or compliance date for all systems 2 • Systems should be prioritized based on the business processes they support • Ensure all new systems conform to processes • Action unmanaged to managed plan 3
KPIs – Measuring (IT Operations) Security Posture IT Operations security coverage • Number of managed vs. unmanaged systems IT Operations security management • Number of non compliance findings on managed systems (percent of total systems)

Recommended

DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentation
danphilpott
 
Shedding Light on Smart Grid & Cyber Security
Shedding Light on Smart Grid & Cyber SecurityShedding Light on Smart Grid & Cyber Security
Shedding Light on Smart Grid & Cyber Security
Tripwire
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
Salih Islam
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
Precisely
 
CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013
Ian Sommerville
 

Recommended

DojoSec FISMA Presentation
DojoSec FISMA PresentationDojoSec FISMA Presentation
DojoSec FISMA Presentation
danphilpott
 
Shedding Light on Smart Grid & Cyber Security
Shedding Light on Smart Grid & Cyber SecurityShedding Light on Smart Grid & Cyber Security
Shedding Light on Smart Grid & Cyber Security
Tripwire
 
"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected"Backoff" Malware: How to Know If You're Infected
"Backoff" Malware: How to Know If You're Infected
Tripwire
 
It audit methodologies
It audit methodologiesIt audit methodologies
It audit methodologies
Salih Islam
 
Chapter 1 Security Framework
Chapter 1 Security FrameworkChapter 1 Security Framework
Chapter 1 Security Framework
Karthikeyan Dhayalan
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
newbie2019
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
Precisely
 
CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013CS 5032 L4 requirements engineering 2013
CS 5032 L4 requirements engineering 2013
Ian Sommerville
 
NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
timmcguinness
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information security
Vijay Sekar
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
newbie2019
 
IEC Safety Lifecycle
IEC Safety LifecycleIEC Safety Lifecycle
IEC Safety Lifecycle
Sumeet Goel
 
CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013
Ian Sommerville
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Denise Tawwab
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
Divya Tiwari
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Donald E. Hester
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
Lisa Niles
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
John Gilligan
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
jemtallon
 
IT Audit Methodologies
IT Audit MethodologiesIT Audit Methodologies
IT Audit Methodologies
SALIH AHMED ISLAM
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
laurahees
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
Donald E. Hester
 
CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013
Ian Sommerville
 
SMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management SystemSMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management System
Universal Weather and Aviation, Inc.
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
William McBorrough
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
Vicky Ames
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
Digital Bond
 
洋蔥浸葡萄酒的保養效果
洋蔥浸葡萄酒的保養效果洋蔥浸葡萄酒的保養效果
洋蔥浸葡萄酒的保養效果
re-atlantis
 
饑餓和孤獨是我創作的財富
饑餓和孤獨是我創作的財富饑餓和孤獨是我創作的財富
饑餓和孤獨是我創作的財富
re-atlantis
 

More Related Content

What's hot

IEC Safety Lifecycle
IEC Safety LifecycleIEC Safety Lifecycle
IEC Safety Lifecycle
Sumeet Goel
 
CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013
Ian Sommerville
 
CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013
Ian Sommerville
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
genetics
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
Vicky Ames
 

What's hot (20)

NIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation ProcessNIST 800-37 Certification & Accreditation Process
NIST 800-37 Certification & Accreditation Process
 
Hipaa checklist - information security
Hipaa checklist - information securityHipaa checklist - information security
Hipaa checklist - information security
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
IEC Safety Lifecycle
IEC Safety LifecycleIEC Safety Lifecycle
IEC Safety Lifecycle
 
CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013CS 5032 L5 safety specification 2013
CS 5032 L5 safety specification 2013
 
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2Understanding the NIST Risk Management Framework: 800-37 Rev. 2
Understanding the NIST Risk Management Framework: 800-37 Rev. 2
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life CycleUnderstanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
Understanding the Risk Management Framework & (ISC)2 CAP Module 4: Life Cycle
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
Solving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity DilemmaSolving the CIO’s Cybersecurity Dilemma
Solving the CIO’s Cybersecurity Dilemma
 
CISSP Week 9
CISSP Week 9CISSP Week 9
CISSP Week 9
 
IT Audit Methodologies
IT Audit MethodologiesIT Audit Methodologies
IT Audit Methodologies
 
Risk Management Methodology
Risk Management MethodologyRisk Management Methodology
Risk Management Methodology
 
System Security Plans 101
System Security Plans 101System Security Plans 101
System Security Plans 101
 
CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013CS 5032 L1 critical socio-technical systems 2013
CS 5032 L1 critical socio-technical systems 2013
 
SMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management SystemSMS Manager Static Demo | Aviation Safety Management System
SMS Manager Static Demo | Aviation Safety Management System
 
IT Audit methodologies
IT Audit methodologiesIT Audit methodologies
IT Audit methodologies
 
Information Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management FrameworkInformation Security Continuous Monitoring within a Risk Management Framework
Information Security Continuous Monitoring within a Risk Management Framework
 
Patch Management - 2013
Patch Management - 2013Patch Management - 2013
Patch Management - 2013
 
The RIPE Experience
The RIPE ExperienceThe RIPE Experience
The RIPE Experience
 

Viewers also liked

洋蔥浸葡萄酒的保養效果
洋蔥浸葡萄酒的保養效果洋蔥浸葡萄酒的保養效果
洋蔥浸葡萄酒的保養效果
re-atlantis
 
饑餓和孤獨是我創作的財富
饑餓和孤獨是我創作的財富饑餓和孤獨是我創作的財富
饑餓和孤獨是我創作的財富
re-atlantis
 
名醫推薦排便11招 自然瘦下7公斤
名醫推薦排便11招 自然瘦下7公斤名醫推薦排便11招 自然瘦下7公斤
名醫推薦排便11招 自然瘦下7公斤
re-atlantis
 
無名十八式功法演練秘笈 完整版
無名十八式功法演練秘笈 完整版無名十八式功法演練秘笈 完整版
無名十八式功法演練秘笈 完整版
re-atlantis
 
рисуем планету(кисть,стиль слоя,ретушь)
рисуем планету(кисть,стиль слоя,ретушь)рисуем планету(кисть,стиль слоя,ретушь)
рисуем планету(кисть,стиль слоя,ретушь)
Ritorika
 
愛喝咖啡的人要多吃洋蔥
愛喝咖啡的人要多吃洋蔥愛喝咖啡的人要多吃洋蔥
愛喝咖啡的人要多吃洋蔥
re-atlantis
 
金針菇 一定要吃它
金針菇 一定要吃它金針菇 一定要吃它
金針菇 一定要吃它
re-atlantis
 
消費者2013年1月號 清水如何變雞湯
消費者2013年1月號 清水如何變雞湯消費者2013年1月號 清水如何變雞湯
消費者2013年1月號 清水如何變雞湯
re-atlantis
 
Vision & values active sportswear international
Vision & values active sportswear internationalVision & values active sportswear international
Vision & values active sportswear international
ActiveSportswear
 
許多疾病的病因僅僅是身體缺水
許多疾病的病因僅僅是身體缺水許多疾病的病因僅僅是身體缺水
許多疾病的病因僅僅是身體缺水
re-atlantis
 
人體使用手冊 New
人體使用手冊 New人體使用手冊 New
人體使用手冊 New
re-atlantis
 
050923台灣地名典故
050923台灣地名典故050923台灣地名典故
050923台灣地名典故
re-atlantis
 
國資圖 201304科技生活
國資圖 201304科技生活國資圖 201304科技生活
國資圖 201304科技生活
re-atlantis
 

Viewers also liked (16)

洋蔥浸葡萄酒的保養效果
洋蔥浸葡萄酒的保養效果洋蔥浸葡萄酒的保養效果
洋蔥浸葡萄酒的保養效果
 
饑餓和孤獨是我創作的財富
饑餓和孤獨是我創作的財富饑餓和孤獨是我創作的財富
饑餓和孤獨是我創作的財富
 
名醫推薦排便11招 自然瘦下7公斤
名醫推薦排便11招 自然瘦下7公斤名醫推薦排便11招 自然瘦下7公斤
名醫推薦排便11招 自然瘦下7公斤
 
無名十八式功法演練秘笈 完整版
無名十八式功法演練秘笈 完整版無名十八式功法演練秘笈 完整版
無名十八式功法演練秘笈 完整版
 
Wakeupabroad presentation
Wakeupabroad presentationWakeupabroad presentation
Wakeupabroad presentation
 
100道素菜
100道素菜100道素菜
100道素菜
 
рисуем планету(кисть,стиль слоя,ретушь)
рисуем планету(кисть,стиль слоя,ретушь)рисуем планету(кисть,стиль слоя,ретушь)
рисуем планету(кисть,стиль слоя,ретушь)
 
鹽巴18招
鹽巴18招鹽巴18招
鹽巴18招
 
愛喝咖啡的人要多吃洋蔥
愛喝咖啡的人要多吃洋蔥愛喝咖啡的人要多吃洋蔥
愛喝咖啡的人要多吃洋蔥
 
金針菇 一定要吃它
金針菇 一定要吃它金針菇 一定要吃它
金針菇 一定要吃它
 
消費者2013年1月號 清水如何變雞湯
消費者2013年1月號 清水如何變雞湯消費者2013年1月號 清水如何變雞湯
消費者2013年1月號 清水如何變雞湯
 
Vision & values active sportswear international
Vision & values active sportswear internationalVision & values active sportswear international
Vision & values active sportswear international
 
許多疾病的病因僅僅是身體缺水
許多疾病的病因僅僅是身體缺水許多疾病的病因僅僅是身體缺水
許多疾病的病因僅僅是身體缺水
 
人體使用手冊 New
人體使用手冊 New人體使用手冊 New
人體使用手冊 New
 
050923台灣地名典故
050923台灣地名典故050923台灣地名典故
050923台灣地名典故
 
國資圖 201304科技生活
國資圖 201304科技生活國資圖 201304科技生活
國資圖 201304科技生活
 

Similar to Better security through IT operations

Ta Security
Ta SecurityTa Security
Ta Security
jothsna
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Tripwire
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
SolarWinds
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suite
Symantec
 

Similar to Better security through IT operations (20)

IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
SuprTEK Continuous Monitoring
SuprTEK Continuous MonitoringSuprTEK Continuous Monitoring
SuprTEK Continuous Monitoring
 
Ta Security
Ta SecurityTa Security
Ta Security
 
TA security
TA securityTA security
TA security
 
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99 Stop Chasing the Version: Compliance with CIPv5 through CIPv99
Stop Chasing the Version: Compliance with CIPv5 through CIPv99
 
DevSecOps: Security and Compliance at the Speed of Continuous Delivery
DevSecOps: Security and Compliance at the Speed of Continuous DeliveryDevSecOps: Security and Compliance at the Speed of Continuous Delivery
DevSecOps: Security and Compliance at the Speed of Continuous Delivery
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
 
Internal Controls Over Information Systems
Internal Controls Over Information Systems Internal Controls Over Information Systems
Internal Controls Over Information Systems
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Symantec control compliance suite
Symantec control compliance suiteSymantec control compliance suite
Symantec control compliance suite
 
Dev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owaspDev secops security and compliance at the speed of continuous delivery - owasp
Dev secops security and compliance at the speed of continuous delivery - owasp
 
Database development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwgDatabase development and security certification and accreditation plan pitwg
Database development and security certification and accreditation plan pitwg
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
SLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshopSLVA - Security monitoring and reporting itweb workshop
SLVA - Security monitoring and reporting itweb workshop
 
Pci Req
Pci ReqPci Req
Pci Req
 
CNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security ProgramsCNIT 160 Ch 4a: Information Security Programs
CNIT 160 Ch 4a: Information Security Programs
 
Secure DevOPS Implementation Guidance
Secure DevOPS Implementation GuidanceSecure DevOPS Implementation Guidance
Secure DevOPS Implementation Guidance
 
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and StandardsICAB - ITA Chapter 5 class 9-10 - Controls and Standards
ICAB - ITA Chapter 5 class 9-10 - Controls and Standards
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Better security through IT operations

  • 1. Improving IT Security Through IT Operations Building on a secure foundation
  • 2. IT Security Threat Categories as Seen by Information Security Standards (Compliance) Malicious Accidents Acts Acts of God 2/3 threats must be managed by IT Operations and can be addressed through process
  • 3. IT Security “Pyramid of Needs” •Audits/Compliance •Monitoring •Incident response IT Security •Standards •Policy IT Operations You cannot manage IT Security without healthy IT Operations.
  • 4. Requirements For IT Operations Disguised as Security •ISO 27001 IT Security •PCI •MITS (Canada) •US (state) cyber security policy There are hidden IT Operations requirements in IT Security Compliance (think DRP, network architecture, IT Operations identity/access management etc.). External compliance sees IT Security as governance for all IT and forces IT Security concerns to dominate IT Operations decision making unless it is already aligned with security objectives.
  • 5. Hidden Cost of Security for IT Operations IT Security Wasted resources on an •Compliance ineffective security program •Information built in an unsecure Security Standard foundation •Disruption due to compliance audits IT Operations •Inefficient incident response
  • 6. Getting Security out of your kitchen: What Security Manage vs. What IT Operations Manage IT Security IT Operations • IT Security Policy/Standards • Configuration Management • Risk Assessment • Life Cycle Support • Vulnerability Assessment • Disaster Recovery Planning • *Compliance and TESTING (Internal/External) • Non Malicious Incident • *Audits (Internal/External) Response (Availability) • IT Security Monitoring and Alerting • Malicious Incident Response *External Compliance and Audits require IT Operations to report status of some processes to IT Security (ex. baseline configuration, DRP)
  • 7. Configuration Management Baselines (Application and System) • One baseline configuration document per OS variant • One baseline configuration document per application • Review of baselines for new versions of application or OS • Mandatory that all systems meet baseline IT Security Services • Mandatory internal compliance audit to ensure baseline is applied during test phase • Internal compliance audit to ensure baseline is maintained during life cycle • Advice on system hardening and secure configuration for baselines
  • 8. Life Cycle Support Deployment and System Support Documentation • A system support document must be created for all systems that are supported and include the following: • Asset list for the system • Network Diagram • System and Application baseline document and additional configuration • Release management acceptance document for all in-house developed software Change Management • All production systems must be subject to change management • All changes must be tracked and deployment and system support documentation updated • Some changes may require approval based on criteria set by IT Operations Management Patch Management • All production systems must have a defined patch cycle • Resources must be made available for out of cycle patching of critical security vulnerabilities IT Security Services • Critical vulnerability alerts • Risk assessment and vulnerability assessments for new systems and critical system changes
  • 9. Disaster Recovery Planning and Testing Disaster Recovery Plan (DRP) • All production systems must have a DRP written down • The plan can indicate that the system has no DRP in the case of non critical systems • The DRP must include steps taken to bring the system back online Testing • All systems with a DRP must have a defined test schedule • A DRP test is only considered complete if all the steps in the DRP are executed
  • 10. Non Malicious Incident Response (Availability) Monitoring • Monitor production systems for availability, unauthorized access, and unauthorized configuration changes and other incidents Incident Response • Response to all system incidents and lead the investigation into non malicious incidents Corrective Action • Track non malicious incidents and implement corrective action where trends appear • Implement corrective action recommended by IT Security in the event of a malicious incident IT Security Services • Monitor systems for malicious incidents • Inform IT Operations of all incidents • Investigate and provide corrective action for all malicious incidents
  • 11. A high level view Baseline Configuration Deployment and Support Docs DRP Requirements Design Defined patch cycle Risk Assessment Retire System Development Life Cycle Implement monitoring Implement Monitoring Operate/Maintain Implement DRP Test Schedule Patch Management Change Management Monitoring/Incident Response Test Vulnerability Assessment Internal Compliance Audit Test DRP Vulnerability Assessment Internal Compliance Audit
  • 12. Ensuring Your Processes Meet Compliance Requirements If it’s not followed it’s an incident If it’s not reviewed and enforced it doesn’t comply If it’s not written down it doesn’t exist Audit Fundamentals
  • 13. Drawing A Line In The Sand Security views all systems that are not governed by these processes as Security Unmanaged.
  • 14. Getting From Unmanaged to Managed • Define and document your processes • Each process must exist and be enforced through a policy or operating procedure 1 • Existing processes can be amended and written down • Create system upgrade plan for migration from unmanaged to managed • Plan must include either an end of life or compliance date for all systems 2 • Systems should be prioritized based on the business processes they support • Ensure all new systems conform to processes • Action unmanaged to managed plan 3
  • 15. KPIs – Measuring (IT Operations) Security Posture IT Operations security coverage • Number of managed vs. unmanaged systems IT Operations security management • Number of non compliance findings on managed systems (percent of total systems)